Business Continuity and Resilience

In the context of the Covid-19 (Coronavirus) outbreak, financial services regulators have been working with firms to ensure they are responding effectively to the threat of disruption. All firms are expected to have contingency plans in place to deal with major events. Regulators are actively reviewing these plans including firms’ ability to continue to operate effectively, serve and support their customers, and meet their regulatory obligations.

Prior to the current crisis, regulators and industry associations including the Bank of England, Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) and European Banking Association, had already issued guidelines and communications at the end of 2019 on strengthening business continuity and operational resilience in financial services, thereby already highlighting the importance of this topic. 

Although business continuity and resilience are currently in the spotlight, these concepts are not entirely new. Customers expect services to be available whenever they are ready to complete a transaction.  Client satisfaction suffers when a firm cannot provide the expected level of service, opening the door for competitors. A business continuity plan (BCP) is the process designed to enable a firm to maintain its critical activities when faced with potential disruptions arising from a range of sources such as natural or man-made disasters, terrorist or cyber incidents. A BCP is more comprehensive than traditional Disaster Recovery Plans (DRP) limited to the IT infrastructure, it also covers contingencies for personnel and business partners. Resilience is to do with designing applications and business processes for high availability.

The first and probably most critical step is conducting a rigorous Business Impact Analysis (BIA), which involves identifying the firm’s important business services, defining availability tolerances for these, and mapping the supporting resources (people, processes, technology and third-party providers). Firms then need to implement solutions to protect their people and assets, and to reduce the threat of disruption to an acceptable level, for instance, through technical security measures.  This can pose challenges given the degree of interconnectivity across hybrid IT environments and reliance on outsourcing.  Secondly, procedures must be developed to enable critical services to be maintained without disruption or resumed within acceptable timeframes.  These procedures must be adequately documented and supported by training.  Firms also need to have an effective communication plan in place to provide clear, timely and relevant communications to employees, consumers and other stakeholders in the event of an operational disruption.

The BCP should be reviewed and tested on a regular basis to ensure that it remains fit for purpose and keeps up with the pace of change. In particular, the BCP may not be effective and will need to be revisited to address new scenarios which were not initially foreseen and planned for, notably if a large portion of the population is affected by a disease outbreak.

Business continuity and resilience good practices therefore include:

1. Conducting a comprehensive Business Impact Assessment
2. Implementing Disaster Recovery countermeasures to mitigate the risk of any disruptions to the infrastructure, including consideration of Disaster Recovery as a Service (DRaaS)
3. Documenting the Business Continuity Plan in sufficiently granular detail
4. Implementing a crisis management and communication plan to be triggered in the event of a disruption
5. Keeping the plans up-to-date and testing these on a regular basis

Compliancy Services can support you in conducting your Business Impact Assessment and in reviewing your Business Continuity and Resilience arrangements.

To find out more, please contact us on [email protected] to book a discussion with one of our experienced consultants.